Bit-flipping Decoder Failure Rate Estimation for (v,w)-regular Codes
| Autor: | Annechini, Alessandro, Barenghi, Alessandro, Pelosi, Gerardo |
|---|---|
| Rok vydání: | 2024 |
| Předmět: | |
| Druh dokumentu: | Working Paper |
| Popis: | Providing closed form estimates of the decoding failure rate of iterative decoder for low- and moderate-density parity check codes has attracted significant interest in the research community over the years. This interest has raised recently due to the use of iterative decoders in post-quantum cryptosystems, where the desired decoding failure rates are impossible to estimate via Monte Carlo simulations. In this work, we propose a new technique to provide accurate estimates of the DFR of a two-iterations (parallel) bit flipping decoder, which is also employable for cryptographic purposes. In doing so, we successfully tackle the estimation of the bit flipping probabilities at the second decoder iteration, and provide a fitting estimate for the syndrome weight distribution at the first iteration. We numerically validate our results, providing comparisons of the modeled and simulated weight of the syndrome, incorrectly-guessed error bit distribution at the end of the first iteration, and two-iteration Decoding Failure Rates (DFR), both in the floor and waterfall regime for simulatable codes. Finally, we apply our method to estimate the DFR of LEDAcrypt parameters, showing improvements by factors larger than $2^{70}$ (for NIST category $1$) with respect to the previous estimation techniques. This allows for a $\approx 20$% shortening in public key and ciphertext sizes, at no security loss, making the smallest ciphertext for NIST category $1$ only $6$% larger than the one of BIKE. We note that the analyzed two-iterations decoder is applicable in BIKE, where swapping it with the current black-gray decoder (and adjusting the parameters) would provide strong IND-CCA$2$ guarantees. Comment: Fixed typos: derivation of a from a=(x-y+v)/2 to a=(y-x+v)/2; replaced (x-y+v)/2 with (y-x+v)/2 and (x-y+v-1)/2 with (y-x+v-1)/2 in rho(x,y,l); replaced d+ with d- in the def. of delta-(d-); replaced epsilon01-l with l in zeta(tc,l,epsilon01) and epsilon11-l with l in lambda(tc,l,epsilon11) (apart from the def.s); explicited epsilon01 and epsilon11 in zeta and chi_odd |
| Databáze: | arXiv |
| Externí odkaz: |
|